Forum Discussion

QuentinStephens's avatar
QuentinStephens
Copper Contributor
Jan 16, 2026

DMARC rejection after Exchange upgrade

I'm having problems with inbound emails getting bounced as Undeliverable due to DMARC rejection.

 

For many years I've had my email come through Fasthosts / Livemail to my own domain (qts.org.uk) with catch-all forwarding set to forward everything to my GMail account. Just recently Fasthosts have upgraded their servers to Exchange and I've started getting DMARC rejections from GMail which start

 

Diagnostic information for administrators:

Generating server: exchange2019.livemail.co.uk

Total retry attempts: 1

(my gmail email address)

t1-hex-xprelay.gem.livemail.co.uk

Remote Server returned '550 5.7.26 Message rejected by DMARC policy by gmail.com. Please use your own email address as the sender, instead of (sender's email address). [MSG0009]'

 

Which bounce from Fasthosts / Livemail back to my GMail address.

 

My own domain has SPF, DMARC, and DKIM configured

 

I've done a little digging and it appears to only affect senders from originating domains with DMARC set to reject.

So either GMail has coincidentally become much more strict (possible) or Fasthosts are somehow failing to forward emails fully transparently.

I have spoken to Fasthosts and logged the issue with them and was not impressed so I hope the experts here can offer a solution I can forward to them.

 

dmarc
exchange
Exchange Server

1 Reply

  • firatboyan34's avatar
    firatboyan34
    MCT
    Feb 15, 2026

    Hello,

     

    This is not a Gmail issue. It is a forwarding and authentication alignment problem introduced by the Exchange upgrade.

    What changed is most likely this:

    Fasthosts are no longer forwarding mail transparently. Exchange is now re submitting or relaying messages in a way that breaks SPF and DKIM alignment. When the original sender domain has DMARC set to p reject, Gmail enforces DMARC strictly and rejects the message.

    Why it fails technically:

    1. SPF fails after forwarding because Fasthosts servers are not authorised in the original sender’s SPF record.
    2. DKIM may be broken if headers or body are modified during forwarding.
    3. DMARC requires either SPF or DKIM to pass with alignment. If both fail, Gmail returns 550 5.7.26.

    The error confirms this. Gmail is rejecting due to DMARC policy enforcement for the original sender domain.

    What Fasthosts must implement:

    They need to enable Sender Rewriting Scheme SRS on their forwarding platform. SRS rewrites the envelope sender during forwarding so SPF validation remains valid after relay.

    Without SRS, any forwarded message from a domain with strict DMARC will fail SPF and therefore DMARC.

    This is a well known forwarding requirement in modern DMARC enforcement models.

    Alternative mitigations:

    1. Disable catch all forwarding and retrieve mail directly via POP or IMAP from Gmail.
    2. Replace forwarding with mailbox level SMTP submission using authenticated relay.
    3. Migrate the domain fully to Google or Microsoft 365 and eliminate intermediate forwarding.
    4. Relax DMARC on the sending domains, which you do not control in most cases, so not realistic.

    Clear conclusion:

    This is almost certainly missing SRS implementation on Fasthosts Exchange based forwarding. Ask them explicitly:

    • Is SRS enabled on forwarding connectors?
    • Is DKIM preserved during transport?
    • Is the forwarding implemented as SMTP redirect or re submission?

    If they cannot support SRS, forwarding from strict DMARC domains will continue to fail.